Meraki

Community

Unable to block traffic between VLANS

BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 22 2024 2:26 AM
‎Nov 22 2024 2:26 AM

Unable to block traffic between VLANS

I am trying to block traffic between two VLANS on an MX8CW and nothing I have tried works and I feel like it's probably something simple. I have tried blocking using CIDR and VLAN ( screenshots below), neither of the rules are showing any hits and I can ping devices from either direction. 

 

I have another rule not shown that blocks a device from accessing the internet and that works fine so I am out of ideas. If anyone has any suggestions that would be appreciated.

 

Screenshot 2024-11-22 at 11.04.59 PM.png

 

Screenshot 2024-11-22 at 11.13.20 PM.png

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
7 Replies 7
Brash
Kind of a big deal
Kind of a big deal
‎Nov 22 2024 2:40 AM
‎Nov 22 2024 2:40 AM

Hmmm the only things that come to mind are the usual:

1. Either reboot the MX or wait at least 15 mins after creating the rule before testing

2. Ensure you're not testing using IP addresses on the MX as they will always respond to ping across VLANs

AmitPanchal
Here to help
‎Nov 22 2024 2:48 AM
‎Nov 22 2024 2:48 AM

Are the L3 VLAN interfaces configured on the firewall. If No then these rules are of no use. Also try by creating a vice-versa rule like from testing to default and from default to testing and then check.

Frank-NL
Getting noticed
‎Nov 22 2024 5:21 AM
‎Nov 22 2024 5:21 AM

If you are sure the traffic is being routed by the MX, you can confirm that with a packet capture

0 Kudos
In response to Frank-NL
Frank-NL
Getting noticed
‎Nov 22 2024 5:21 AM
‎Nov 22 2024 5:21 AM

*If you want to be really sure

0 Kudos
Frank-NL
Getting noticed
‎Nov 22 2024 5:21 AM
‎Nov 22 2024 5:21 AM

The rule configuration is good in both screenshots

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 24 2024 11:55 AM
‎Nov 24 2024 11:55 AM

If you are not making progress, try making the blocking rules symmetric.  Block 192.168.4.0/24 to 192.168.10.0/24 and 192.168.10.0/24 to 192.168.4.0/24.

 

The firewall engine on MX is flow-based.  Firewall rules only take effect on new flows as they are created.  So you could be accessing something, create a firewall rule to block it, but because the existing flow has already been created it will cotntinue to work till it expires.

That's why you sometimes have to wait 10 minutes (or reboot as @Brash mentions).

 

Also note that firewall rules don't apply to the MX interfaces themselves.

0 Kudos
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 24 2024 11:58 AM
‎Nov 24 2024 11:58 AM

Thanks everyone, using VLANs instead of subnet CIDR did the trick after waiting 20 odd mins. L3 interfaces are setup on the MX and I was pinging devices on the subnets not the L3 interfaces. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.